package main

import (
	"context"
	"fmt"
	"net/url"
	"time"

	"github.com/charmbracelet/ssh"
	"github.com/charmbracelet/wish"

	"github.com/bluesky-social/indigo/atproto/identity"
	"github.com/bluesky-social/indigo/atproto/syntax"
)

func checkPDSAllowed(handle string) error {
	dir := identity.DefaultDirectory()
	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
	defer cancel()
	h, err := syntax.ParseHandle(handle)
	if err != nil {
		return fmt.Errorf("invalid handle: %w", err)
	}
	ident, err := dir.LookupHandle(ctx, h)
	if err != nil {
		return fmt.Errorf("identity lookup: %w", err)
	}
	pdsURL := ident.PDSEndpoint()
	if pdsURL == "" {
		return fmt.Errorf("no PDS endpoint found")
	}
	parsed, err := url.Parse(pdsURL)
	if err != nil {
		return fmt.Errorf("invalid PDS URL: %w", err)
	}
	host := parsed.Hostname()
	for _, allowed := range allowedPDS {
		if host == allowed {
			return nil
		}
	}
	return fmt.Errorf("PDS %s is not on the allowlist", host)
}

func pdsGateMiddleware() wish.Middleware {
	return func(next ssh.Handler) ssh.Handler {
		return func(s ssh.Session) {
			handle := s.User()
			if err := checkPDSAllowed(handle); err != nil {
				fmt.Fprintf(s, "\033[31mAccess denied: %s\033[0m\r\n", err)
				return
			}
			next(s)
		}
	}
}

func goodbyeMiddleware() wish.Middleware {
	return func(next ssh.Handler) ssh.Handler {
		return func(s ssh.Session) {
			next(s)
			fmt.Fprintf(s, "Goodbye!\r\n")
		}
	}
}